If this is your first visit, be sure to
check out the Forum Rules by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

looking for web vuln scanner

hi all,
I'm looking for advice on web app scanner.
It has to:
Allow scanning only selected pages from the website.
It has to be able to be used in a production environment ( so must not generate too much traffic).
I tried few but they always want to follow the links, and some seem to generate enough traffic to affect the response times of the sites.
Last one I tried was skipfish - but it seems to want to scan everything ( as you would expect of a Google tool).

I'm looking for web app scanner, that can be used to scan just selected few pages...
any ideas?

Burp Suite rocks. You can set filters for pages you want to have included in either passive or active scanning, and you can manually select pages to be scanned. Its a fantastic scanner, and its cheap (ludicrously cheap compared to the other commercial alternatives).

Plus it integrates the scanner into the overall suite which makes use of the intercepting proxy for finding pages to scan, and functions like the Repeater and Intruder are fantastic for doing manual testing and tweaking of web app attacks. Cannot recommend Burp Suite Pro highly enough.

There is also a thread here in the Experts forum started by thorin discussing web app scanners you might want to look at.

Last edited by lupin; 02-02-2011 at 12:20 PM.
Reason: Typos

Capitalisation is important. It's the difference between "Helping your brother Jack off a horse" and "Helping your brother jack off a horse".

Re: looking for web vuln scanner

Yeap, Burp Suite is smth that is doing some hard work for me, but to be honest, for webapp testing i am combining it with W3AF. And nowadays W3AF is beginning to play the main role in this kind of testing.

Re: looking for web vuln scanner

Originally Posted by jirtos

Yeap, Burp Suite is smth that is doing some hard work for me, but to be honest, for webapp testing i am combining it with W3AF. And nowadays W3AF is beginning to play the main role in this kind of testing.

I have heard good things about w3af from some people, and bad things from others. My own experiences with it have not been great - for one thing I find its use very hard to integrate into my workflow.

Capitalisation is important. It's the difference between "Helping your brother Jack off a horse" and "Helping your brother jack off a horse".